By Mark Guntrip, Senior Director of Cybersecurity Strategy, Menlo Security
A new breed of attacker has emerged, one that has learned to weaponize the web browser.
The Highly Evasive Adaptive Threats (HEAT) attacks they now use to compromise browsers, gain initial access to the endpoint and deploy threats like ransomware or malware, are notable for their ability to evade detection. This and their ability to get malicious payloads onto endpoints means that HEAT attacks can be confused with Advanced Persistent Threats or APTs. But there are some key differences between the two – and they operate in very different stages of the attack kill chain.
So, what are the differences between HEAT attacks and APTs?
What is HEAT?
When you look at HEAT attacks, there are many threats out there in terms of volume. The key thing for threat actors is to maximise their chances of success and it’s a numbers game. The two key words, ‘evasive’ and ‘adaptive’, are most important for attackers because they want threats to be as evasive as possible to avoid detection.
That means they understand how to bypass a particular technology or security technique that typically is in place. Whether phishing detection on email or sandboxing, there is a reasonably well understood level of ‘standard’ technology in an organisation, and if they know they can evade this type of detection, they will have a much higher level of success.
With the ‘adaptive’ side of HEAT, this is how it changes over time in order to maintain that evasiveness. An example is evading URL reputation, where rather than moving fast to register a domain populated with content and malware and push it out, attackers adapt to how URL reputation systems find out whether a site is malicious or not and behave in a way they know will be classified as legitimate. Attackers register a domain for a certain amount of time before they use it, so it is not new. They then populate it with relevant content, so it’s categorised in a certain way. Once they confirm the site is seen as good, they use it for an attack. If URL reputation solutions or engine change, they then change what they do before they use it for a HEAT attack.
Threats in general are going up, but HEAT attacks are also increasing. HEAT attacks can be used by Ransomware as a Service (RaaS) operators to gain initial access. Some attackers’ entire business model is to gain initial access into as many networks as they can and then sell it onto someone who wants to deploy malware onto that network. They won’t just sell it to one person, but to multiple people, with a single breach resulting in five, 10, 100 or more threat actors being able to put their malware on a network.
What are APTs?
APT is a class of threats designed to be undetectable. Once in the network, they stay there for as long as possible and do whatever it is that an attacker wants to do with it – whether looking around, stealing data or credentials, or deploying ransomware. They are often used by nation or state sponsored groups to go after high value targets, and more recently, by crimeware groups.
What’s the difference between the two?
They are very much two sides of the same coin, or two parts of the same process. The main difference is that a HEAT attack gains initial access to a target network and an APT will do the damage once deployed inside. A HEAT attack itself is not going to do any damage but delivers the thing that does. But they shouldn’t necessarily be thought of as distinct and separate because they can be put together and used in the same attack. The Nobelium attack, for example, used HTML smuggling, a HEAT characteristic, to deliver APTs to victims.
What should cybersecurity teams should know about HEAT attacks?
With hybrid and remote models and people working on any device connected to the corporate network, these all have to be treated like a single system. For example, if a user is on a Mac connected to their personal iCloud, anything coming through and attacking them can be relayed to a corporate device. The potential impact of this, especially when it comes to HEAT attacks, is huge. If somebody gets initial access to a personal device, it can then be used to access corporate resources. It’s much the same as having initial access to a corporate owned device with all of those same rights.
Attackers are getting better at evading tools and systems that are already in place, but also at tricking users into clicking on a link or download a file to activate a threat. More education and awareness are needed about HEAT attacks, how they work and what they can do, as well as improved visibility around what a HEAT attack looks like. In the industry, we talk a lot about prevention, but we also need to have better levels of detection.
Finally, and most important though is having visibility into the browser. HEAT attacks exist in the browser, and endpoint security solutions do not necessarily have visibility into what is going on inside a browser. Not only is the browser a blind spot, but it is also the most targeted access point.
About the Author
Mark Guntrip is Senior Director of Cybersecurity Strategy at Menlo Security, responsible for articulating the future of threats to security leaders around the world. Prior to joining Menlo Security, Mark has been security strategist at Proofpoint, Symantec, Cisco, and several other leading cybersecurity providers.